Security Engineering Lecture Notes (4/7)

고려대학교정보보호대학원

마스터 제목 스타일 편집

Security Policy Modeling

Introduction to Formalization

Informal method English (or other natural language)

Semiformal methods Gane & Sarsen/DeMarco/Yourdon Entity-Relationship Diagrams Jackson/Orr/Warnier SADT, PSL/PSA, SREM, etc.

Formal methods Finite State Machines Petri Nets Z ANNA, VDM, CSP, etc.

Formalization

(M202, Open University, UK) A safe has a combination lock that can be in one of three positions, labeled 1, 2, and 3. The dial can be turned left or right (L or R). Thus there are six possible dial movements, namely 1L, 1R, 2L, 2R, 3L, and 3R. The combination to the safe is 1L, 3R, 2L; any other dial movement will cause the alarm to go off.

FSM Example

[State Transition Diagram]

[Transition Table]

Delimit the system’s boundary : the system and its environment.

Characterize a system’s behavior more precisely.

Define the system’s desired properties precisely.

Prove a system meets its specification.

Tell under what circumstances a system cannot meet its specification

What Formal Methods Can Do

These capabilities of formal methods help practitioner in two ways.

Through ( ), focusing on designer’s attention What is interface What are the assumptions about the system What is the system supposed to do under this

condition and that condition What are the system’s invariant properties

Through ( ) Prove a system meet its security goals Find out the weakness of the system

How They Can Help

The UK and European style Focus was on ( ), on the system’s

high level design and on the paper-and-pencil analysis.

The US and Canadian style Focus was on ( ), from the

system’s high level design through its code-level implementation down to its bit-level representation in hardware, and on machine-assisted analysis.

Two Different Styles of Formal Methods

NSA(National Security Agency) was the major source of funding formal methods research and development in the 70s and early 80s.

Early formal method centered on proving systems secure.

The systems of interest to prove secure were operating systems, more specifically, ( ).

History - Past

US Trusted Computer System Evaluation Criteria

Produced by NCSC (National Computer Security Center) in 1985.

Provide a standard metric for NCSC to compare the security of different computer systems.

Guide computer system vendors in the design and development of secure systems.

The Orange Book

Provide a means for specifying security requirements in Government contracts.

Levels : D, C1, C2, B1, B2, B3, A1, (A2)

Certified ( ) means that one formally specify the system’s security requirements, formally model the system and formally prove that the model meets its specification.

The Orange Book

Major results of early 80s were theorem proving tools with general purpose.

Affirm (USC)

Formal Development Methodology (FDM) System (System Development Corporation)

Gypsy (U. Texas Austin)

(Enhanced) Hierarchy Development Methodology (HDM) (Stanford)

Major Results of Early 80s

Since early 90s, there was an explosion of new developments.

Three threads in the development of formal methods

History - Present

Categorization of Formal Methods

Theorem Proving vs. Model Checking

In 1996, model checker FDR was used to exhibit a flaw in the Needham-Schroeder protocol.

Since then many other model check tools or other proving tools showed the same thing.

Other protocols were or are being checked. SSL by Stanford IKE, SET by Meadows Netbill electronic payment protocol

Model Checking

General purpose theorem prover Isabelle was used to reason 5 classic authentication protocols and their variation.

Coq was used to analyze the Needham-Schroeder protocol and SET.

PVS was used to verify authentication protocol.

Theorem Proving

Embodies both model checking and theorem proving functionalities.

Improved NRL protocol analyzer analyze IKE and SET protocol.

Improved NRL embodies both model checking (e.g., brute force search)and theorem proving (e.g., lemma generation).

Hybrid Approaches

Systems will never made 100% secure. Formal methods will not break this axiom.

Assumptions about the system’s environment Hard to state them explicitly.

The system could be deployed ( ). For convenience or lack of an alternative

Clever intruders find out ( ).

The Limits of Formal Methods

Security (Policy) Modeling

State ( ) should be protected.

A security policy is a statement of what is, and what is not, allowed. Confidentiality : Who is allowed to learn

what? Integrity : What changes are allowed by

system. … includes resource utilization, input/output to

environment.

Availability : When must service be rendered.

And ( ) this should be achieved.

Security Policy

( ) Specification of Security Policy

(e.g.) DAC Model, MAC Model, Bell-LaPadulaModel, Biba Model, Clark-Wilson Model, Harrison-Ruzzo-Ullman Model, Chinese Wall Model, RBAC Model, etc.

Security Policy Model (SPM)

Evidence that the set of security requirements is complete, consistent and technically sound.

Completeness : If the completeness of rules can completely be

verified, the ( ) rate will be zero.

Soundness : If the soundness of rules can be completely

verified, the ( ) rate will theoretically be proved to be zero.

Security Policy Assurance

Realized that ( ) system posed security issues that went beyond the traditional concerns for secure communications. ( ) (@ NSA) talked 3 important issues :

( ) determining the requirements for U.S. government computer systems to execute securely in the presence of malicious users. http://dx.doi.org/10.1109/MSP.2008.15

Reference Monitor

Security Kernel

Reference Monitor

Authentication : Method of ( ) the identity. Identification : Method of ( ) the

subject's (user, program, process) identity.

Authorization : The mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system.

Authentication & Authorization

Authentication

Authentication (사용자인증) = “Verification” Authentication mean verifying the user is

actually who he says he is (or who she says she is).

( ) ( ) matching

Identification (개인식별) Identification means you don’t know anything

about the person and you are trying to identify them.

( ) ( ) searching

Methods

마스터 제목 스타일 편집Password

Alice (PWDA)Server

……

PWDBBob

PWDAAlice

PasswordID

Alice, PWDA

"Replay" attacks are "Man in the middle" attacks that involve intercepting data packets and replaying them, that is, ( ) (with no decryption) to the receiving server.

Replay Attack

Alice (PWDA)Server

……

PWDBBob

PWDAAlice

PasswordID

Alice, PWDA

Replay Attack

Alice (PWDA)Server

……

PWDBBob

PWDAAlice

PasswordID

Alice,

Countermeasures

Password guessing attacks can be classified into two.

Brute Force Attack : A Brute Force attack is a type of password guessing attack and it consists of trying every possible code, combination, or password until you find the correct one. This type of attack may take long time to complete. A complex password can make the time for identifying the password by brute force long.

Dictionary Attack : A dictionary attack is another type of password guessing attack which uses a dictionary of common words to identify the user’s password.

Password Guessing Attacks

마스터 제목 스타일 편집Brute Force Attack

Which is the better error message?

Countermeasures

Dictionary Attack

Alice (PWDA)Server

Alice,

E(PWDA,Time)

ID Password

Alice PWDA

Bob PWDB

… …

Dictionary Attack

Alice (PWDA)Server

Alice,

E(PWDA,Time)

ID Password

… …

An attacker with unprivileged access to the system can ( ) of every user's password. Those values can be used to mount a brute force attack or dictionary attack offline, testing possible passwords against the hashed passwords relatively quickly ( ) system security arrangements designed to detect an abnormal number of failed login attempts.

Dictionary Attack

The best method of preventing password cracking is to ensure that attackers cannot get access even to the hashed password.

Using ( ) prevents attackers from efficiently mounting offline attacks against ( ) user accounts simultaneously.

Countermeasures

Alice (PWDA)Server

Alice,

E(PWDA,Time)

ID Salt Password

… … …

The best method of preventing password cracking is to ensure that attackers cannot get access even to the hashed password.

Using ( ) prevents attackers from efficiently mounting offline attacks against ( ) user accounts simultaneously.

Using ( ), such as PBKDF2, to form password hashes can significantly reduce the rate at which a ( ) user's account can be tested (a.k.a. ).

Countermeasures

PBKDF2

Grid OTP

RSA SecurID

SeedTime

354982

ACE/ServerAuthenticator

Algorithm

SeedTime

354982

Algorithm

Same Seed

Same Time

RSA SecurID with Transaction Signing

Authorization (Access Control)

DAC Model

Individuals Resources

Server 1

Server 3

Server 2

Name AccessTom YesJohn NoCindy Yes

ApplicationAccess List

DAC protects information on a ( ) basis.

Data owners decide who has access to resources. This model is called ( ) because the

control of access is based on the discretion of the owner.

DAC systems grant or deny access based on the identity of the subject. The identity can be a user identity or group membership.

The most common implementation of DAC is through ACLs, which are dictated and set by the owners and enforced by the operating system.

DAC Model

DAC does ( ) from being made and there is ( ).

Modern approaches to information sharing and trusted computing seek to maintain control over copies.

DAC Model Weaknesses

Alice (owner) Bob

EMP EMP COPY

Alice does notwant Eve to have access to EMP

Alice grants Bob the access to EMP

Bob can make a copy of EMP and grant Evethe ability to access the copy.

This case is a simplistic version of what can be much more pathological… The Trojan Horse…

DAC Model Weaknesses (Trojan Ver.)

File FA:r

File GB:r

Bob cannot read file F

DAC Model Weaknesses (Trojan Ver.)

File FA:r

File GB:r

B can read contents of file F copied to file G

Program Goodies

Trojan Horse

executes

MAC Model

Individuals Resources

Server 1“Top Secret”

Server 3“Classified”

Server 2“Secret”

top secret

secret

confidential

unclassified

Mandatory access control (MAC) model protects information by assigning clearances to users which define what the sensitivity level of information they are allowed to access.

The clearances assigned to users under MAC are strictly enforced; Permissions ( ) at a

user’s discretion.

MAC Model

Traditional MAC : hierarchicalsecurity levels ( )

MAC : Traditional Model

top secret

secret

confidential

unclassified

Top Secret

Secret

Confidential

Restricted

Unclassified

Satellite data

Afghanistan

Middle East

IsraelClearance Levels

Category (Compartment)

MAC : Traditional Model

MLS(Multi-Level Security) : By the ( ) policy, categories (( ) by the subset relation) are used as well as the security levels (( ) in lattices.

MAC : MLS Model

Classification of personnel and data Class = rank, compartment

Access Control Document X is restricted : rankX, compartmentX

A Person has a clearance : rankP, compartmentP

If rankX, compartmentX rankP, compartmentP → P may access X

Dominance relation ()

rankX, compartmentX rankP, compartmentP ⇔rankX rankP and compartmentX compartmentP

rankX, compartmentX is dominated by rankP, compartmentP

MAC : MLS Model

Introduced by Mathematicians ( ) and ( ) of MITRE in 1973.

Before the Bell-La Padula Model, An initial effort for securing time-sharing system was commissioning computer experts, called “Tiger Teams”, to test the security robustness of computer systems.

However, the conclusions drawn from Tiger Teams was the ultimate ( ) and the ( ) in computer systems.

BLP Model of MLS

Bell and LaPadula gave the first formal, mathematical MAC model of MLS to provide ( ) of correctness. Implements an ( ) using a

lattice with compartments and an access control matrix. i.e., augment DAC(DS-Property) with MAC(SS-Property, ) to enforce information flow policies.

BLP information flow policy : Information is allowed to flow from less

trustworthy subjects to more trustworthy subjects. i.e., Information cannot leak to subjects who are not cleared for the information.

BLP Model of MLS

However, there are still some problems with the BLP formulation of MLS. These include :

only dealing with confidentiality, not withintegrity.

having no policies regulating the modification of access rights.

Does not deal with information flow through covert channels.

BLP Model of MLS

BLP Model in a Nutshell

Unclassified

Top Secret

Read down, write up

Unclassified

Top Secret

Read up, write down

BLP Model in a Nutshell

Subject Object

ReadRead

Top Secret (High)

Unclassified (Low)

Secret

Confidential

Task was to propose a theory of multi-level security

supported by a mechanism implemented in a ( )

prevents unwanted ( )

BLP Model in Formal

Elements of Access Control

a set of subjects S

a set of objects O

set of access operations A = {execute, read, append, write}

A set of security levels L, with a partial ordering <=

BLP Model in Formal

The State Set

BLP Model in Formal

Simple Security Property (SS-Property)

BLP Model in Formal

Simple Security Property (SS-Property)

BLP Model in Formal

Top Secret (High)

Unclassified (Low)

Secret

Confidential

*-Property (Star-Property)

BLP Model in Formal

*-Property (Star-Property)

BLP Model in Formal

Discretionary Security Property (DS-Property)

Access must be permitted by the access control matrix MS,O.

BLP Model in Formal

MULTICS for the Air Force Data Services Centre (time-sharing OS)

MITRE brassboard kernel

SIGMA message system

KSOS (Kernelized Secure Operating System)

SCOMP (Secure Communications Processor)

PSOS (Provably Secure Operating System)

SELinux

multi-level Database Management Systems

Real World Examples Built on BLP

[Note] MULTICS

www.wiley.com/go/gollmann

current process

current-level table

w:off r:on e:off

segment-id ptr

descriptor segment of current process

subject

segment-id

object

current pro. Lc segment-id LOLC LO?

parent directory

descriptor segment base register

What happens if we have ...

Proposed System Z = BLP + ( )

Is the system secure?

It satisfies every security property of BLP!

The Criticism of McLean

Tranquility

McLean’s scenario is really ( )for BLP.

BLP considered tranquil systems,

Either a system or an operation may be tranquil A tranquil operation does not change access

rights.

A tranquil system has no non-tranquil operations.

Tranquility

Tranquility is a particular concern when operation tries to remove an access right

currently in use.

How should this be resolved?

Main Contributions of BLP

Covert channels ( ) be blocked by *-property.

Covert channel : A communication channel is covert if it is neither designed nor intended to transfer information at all.

It is generally very difficult, if not impossible, to block all covert channels.

One can try to ( ) of covert channels.

Military requires cryptographic components be ( ).

to avoid trojan horse leaking keys through covert channels.

Covert Channels

Low User

High Trojan HorseInfected Subject

High User

Low Trojan HorseInfected Subject

COVERTCHANNEL

Information is leaked unknown to the high user

( ) to BLP (1977).

State machine model similar to BLP.

Defines ( ) levels, analogous to sensitivity/security levels of BLP.

No read-down (SS-Property) Subjects can only view content at or above their

own integrity level.

No write-up (*-property) Subjects can only create content at or below

their own integrity level.

Biba Model

Biba Model in a Nutshell

Garbage

High Integrity

Read up, write down

Garbage

High Integrity

Read down, write up

Biba Model in a Nutshell

Subject Object

High Integrity (High)

Garbage (Low)Write

WriteRead

S2Some Integrity

Suspicious

Authors address security requirements of ( ) applications (D. Clark, D. Wilson, A Comparison of Commercial and Military Computer Security Policies,

IEEE Symposium on Security and Privacy, 1987).

In opposition to ( ) requirements.

From the beginnings of the Computer Security Initiative, there were objections that the Department of Defense and the intelligence community security policies based on classifications did not apply in the civilian and commercial world.

Clark-Wilson Model

Enforcing Integrity via ( ).

Well-formed transactions move a system from one consistent state to another consistent state.

Its primary contribution to security policies was to introduce access triples ( ), where previous work had used duples ( ) or ( ).

Users have access to ( ) rather than ( ) itself.

Clark-Wilson Model

Enforcing Integrity via 'well formed transaction‘.

Well-formed transactions move a system from one consistent state to another consistent state.

Its primary contribution to security policies was to introduce access triples (user, program, file), where previous work had used duples (user, file) or (subject, object).

Users have access to programs rather than data itself.

Clark-Wilson Model

Verify integrity

Transform: valid valid

Constrained Data Items (CDI) : data subject to Integrity Control Eg. Account balances Integrity constraints constrain the values of the CDIs

Unconstrained Data Items (UDI) : data not subject to IC Eg. Gifts given to the account holders

Integrity Verification Procedures (IVP) Test CDIs’ conformance to integrity constraints at the

time IVPs are run (checking that accounts balance)

Transformation Procedures (TP) : E.g., Depositing money Withdrawing money Money transfer etc.

Clark-Wilson Model

Clark-Wilson security model is often implemented in modern database management systems (DBMS) such as: Oracle, DB2, MS SQL, and MySQL.

Real World Examples Built on CW

BLP has no policies for ( ) access rights or for the ( ) and ( ) of subjects and objects.

The Harrison-Ruzzo-Ullman (HRU) model defines authorization systems that address these issues (Michael A. Harrison, Walter L. Ruzzo, Jeffrey D. Ullman: Protection in Operating

Systems. Commun. ACM 19(8): 461-471 (1976)).

Study whether any properties about reachable sets can be stated. These are “( )”

i.e. can a sequence of transitions reach a state of the matrix with (x, o, r)?

Why? This would be used to build a “security argument” that the access control policy realizes some properties of the security policy!

Harrison-Ruzo-Ullman Model

The components of the HRU model: set of subjects S set of objects O set of access rights R access matrix M = (Ms,o)s∈S,o∈O : entry Ms,o is a subset of R

giving the rights subject s has on object o

Six primitive operations for manipulating subjects, objects, and the access matrix :

enter r into Ms,o

delete r from Ms,o

create subject s delete subject s create object o delete object o

Harrison-Ruzo-Ullman Model

The access matrix describes the state of the system; Commands change the access matrix Ms,o→Ms,o’.

Checks need to be done in order to avoid undesirable access rights to be granted.

HRU model has some definitions and theorems about the decidability of the safety of the system.

Lessons Learned in HRU Model

The moral of those theorems is :

Lessons Learned in HRU Model

Introduced by Brewer and Nash in 1989

The motivation for this work was to avoid that sensitive information concerning a company be disclosed to ( ) through the work of financial consultants.

Provides access controls that change dynamically!

Chinese Wall Model in a Nutshell

How it works :

Users have no “wall” initially.

Once any given file is accessed, files with competitor information become inaccessible.

Unlike other models, access control rules change ( ).

Chinese Wall Model in a Nutshell

We have :

Set of Companies Analysts – Subjects Items of Information – Objects Objects concerning the same company –

Company Dataset Companies in competition – Conflict of Interest

class. A set of companies that should not learn about the contents of the object

Object security label – pair (CDataset, CoI Class) Sanitised Information – purged of sensitive

information, thus has no Conflict of Interest Object access history

Chinese Wall Model

Bank of America

CitibankBank of the

Bank COI Class

Shell Oil

Union ’76

StandardOil

Gasoline Company COI Class

SS-Property :

“Prevents a subject from being exposed to a conflict of interest.”

Access granted if object belongs to : Company dataset already held by user or

An entirely different conflict of interest class.

Chinese Wall Model

*-Property :

“Prevents un-sanitised information flowing out of a company dataset.”

Write access granted if no other object can be read that : Belongs to a different company dataset.

Contains un-sanitised information.

Chinese Wall Model

RBAC Model

Individuals Roles Resources

Role 1

Role 2

Role 3

Server 1

Server 3

Server 2

User’s change frequently, Roles don’t

Originally developed by David Ferraiolo and Rick Kuhn (1992), and by Ravi Sandhu and colleagues (1996).

A Role-Based Access Control (RBAC) model, also called ‘nondiscretionary access control’, allows access to resources to be based on the ( ) the user holds within the company.

It is referred to as ( ) because assigning a user to a role is unavoidably imposed.

An RBAC is the best system for a company that has high employee turnover.

RBAC Model

Roles implemented in

Window NT (as global and local groups)

IBM’s OS/400

Oracle 8 onwards

.NET framework

Now official standard – approved on Feb. 19 2004

RBAC Model

Categorization of RBAC Model

Core RBAC (also called Flat RBAC) (RBAC0)

Hierarchical RBAC (RBAC1) General role hierarchies Limited role hierarchies

Constrained RBAC (RBAC2) Static Separation of Duty Relations Dynamic Separation of Duty Relations

Consolidated RBAC (RBAC3) Combines Constraints and Role Hierarchies

Categorization of RBAC Model

Core RBAC

USERS ROLES

SESSIONS

OPS OBS

session_rolesuser_session

User Assignment

Permission Assignment

many-to-many relationship

one-to-many relationship

Gives roles activated by the session

User is associated with a session

File system operations: read, write and execute

DBMS operations: Insert, delete, append and update

Core RBAC

UA : user assignments Many-to-many

PA : Permission assignment Many-to-many

Session : mapping of a user to possibly many roles

Permissions : union of permissions from all roles Each session is associated with a single user User may have multiple sessions at the same time

(one to many relationship) In each session, multiple roles can be activated

simultaneously (many to many relationship)

Core RBAC

Users, Roles, Permissions, Sessions

PA P x R (many-to-many)

UA U x R (many-to-many)

user : S U, mapping each session si to a single user user(si)

roles : S 2R, mapping each session si to a set of roles roles(si) {r | (user(si),r) UA} and si has permissions rroles(si) {p | (p,r) PA}

Hierarchical RBAC

USERS ROLES

SESSIONS

OPS OBS

session_roles

User Assignment

Role Hierarchy (RH)

user_session

Role hierarchies are a natural means for structuring roles to reflect an organization’s line of authority and responsibility.

General role hierarchies Include the concept of multiple inheritance of

permissions and user membership among roles.

Limited role hierarchies Impose restrictions Role may have one or more immediate

ascendants, but is restricted to a single immediate descendent.

Hierarchical RBAC

Q) In the absence of role hierarchy, what happens?

A) In the absence of role hierarchy, there are two options for assigning many-to-many permissions to users.

The first is to duplicate permission assignments among roles.

The second option is to assign several roles to users.

Hierarchical RBAC

Inverted Tree

Role Hierarchy Examples

ProductionEngineer 1

Engineer 1

Quality Engineer 1

Engineering Dept

Engineer 2

Quality Engineer 2

Project Lead 1

Quality Engineer 1

Director

Project Lead 2

Quality Engineer 2

Lattice

Role Hierarchy Examples

Engineer 1

Quality Engineer 1

Engineering Dept

Engineer 2

Quality Engineer 2

Project Lead 1

Director

Project Lead 2

( ) : user cannot be authorized for both conflicting roles –mutually exclusive, e.g., teller and auditor.

SSoD policies deter fraud by placing constrains on administrative actions and thereby restricting combinations of privileges that are made available to users.

( ) : user cannot act simultaneously in both roles, e.g., teller and account holder.

DSoD policies deter fraud by placing constrains on the roles that can be activated in any given session thereby restricting combinations of privileges that are made available to user.

Constrained RBAC

SSD with Hierarchical RBAC

USERS ROLES

SESSIONS

OPS OBS

session_roles

User Assignment

Role Hierarchy (RH)

user_session

SSD on the roles r1 and r2 implies that they should not be assigned to the same user.

Dynamic Separation of Duty

USERS ROLES

SESSIONS

OPS OBS

session_roles

User Assignment

Role Hierarchy (RH)

user_session

DSD on the conflicting roles r1 and r2 implies that they should not be invoked in the same session by the same user. But the same user may invoke roles r1 and r2 in different sessions!

Information Flow : Transmission of information from one “place” to another.

Two categories of information flows

( ) : assignment operation y = x

( ) : conditional assignment if x then y = z

Information Flow Security Model

Information Flow Security Model : Based upon flow of information rather than on access controls.

Flow of objects are controlled by security policy that specifies where objects of various levels are permitted to flow.

( ) analysis is simplified.

How do we measure/capture flow?

By ( ) (Information Theory)

Entropy : amount of information that can be derived from an observation.

Change in entropy -> flow

By ( )

A precise quantitative definition for information flow can be given in terms of Information Theory.

The information flow from x to y is measured by the equivocation (conditional entropy)

H(x | y) of x, given y.

Defined by Denning (1976)

Purpose : Guarantee secure information flow as an ordering relation.

Use mathematical framework to formulate requirements.

Instead of a list of axioms governing users’ accesses, simply require that information transfers obey the ordering relation.

Lead to automatic certification programs.

Denning uses a set of axioms to limit program code that will violate security classes.

Sandhu uses the axioms to control information flow at the model level.

The components of the ( ) information flow model are :

SC is a set of security classes may_flow is a relation on SC x SC ‘+’ is a function from SC x SC to SC An information flow policy is a triple

<SC,may_flow,+>

Example:

Denning’s axioms

Under the following assumptions, an information flow policy forms a finite lattice :

Any information flow that violates this is illegal (covert).

Partially ordered set (S, ) and two operations :

greatest lower bound (glb X)

least upper bound (lub X)

Lattice : A finite set together with a partial ordering on its elements such that for ( ) of elements there is a least upper bound and a greatest lower bound.

[Note] Lattice

Why We Need Lattice?

We wish to have unique answers to the following two questions : Given any two objects at different security levels, what is

the ( ) to be allowed to read both objects?

Given any two subjects at different security levels, what is the ( ) so that it can still be read by both subjects?

The mathematical structure that allows us to answer these two questions exist. It is called a lattice.

[Note] Lattice

A system is ‘secure’ if there is no illegal information flow.

Advantages : it ( ) kinds of information flow.

Disadvantages : far more ( ) such systems.

(e.g.) checking whether a given system is secure in the information flow model is an ( ).

One must also distinguish between

static enforcement : considers the system (program) as a static object.

dynamic enforcement : considers the system under execution.

of the information flow policies.

Non-interference model (a.k.a. Goguen-Meseguer security model, 1982) is loosely based on the information flow model; however, it focuses on:

How the actions of a subject at a higher sensitivity level affect the system state or actions of a subject at a lower sensitivity level. (i.e., )

Users (subjects) are in their own ( ) so information does not flow or contaminate other ( )

With assertion of non-interference security policy, the non-interference model can express multi-level security (MLS), capability passing, confinement, compartmentation, discretionary access, multi-user/multi key access, automatic distribution and authorization chains, and downgrading.

Non-Interference Security Model

Information flow is controlled by the security policy, where security policy is a set of non-interference assertions (i.e., “ ".)

Non-interference is to address ( ) and ( ).

Non-Interference Security Model

Uses specific rules that indicate what can and cannot happen between a subject and an object.

Not necessarily ( ).

Traditionally, rule based access control has been used in MAC systems as an enforcement mechanism.

Today, rule based access is used in other types of systems and applications as well (e.g., routers and firewalls).

Rule Based Access Control Model

Structures (= Implementation Technique)

Access Control Structures

Introduced by B. Lampson (Proc. 5th Princeton Conf. on Information Sciences and Systems, Princeton, 1971. Reprinted in

ACM Operating Systems Rev. 8, 1 (Jan. 1974), pp 18-24.) and extended by Harrison, Ruzzo and Ullman(1976~8)

Columns indexed by objects

Rows indexed by subjects

Matrix entries are (sets of) access operations

Matrices are data structures that programmers implement as table lookups that will be used and enforced by the operating system.

Foundation of many theoretical security models

Access Control Matrix

Objects Oj

Subjects Si

Capabilities aka. Directory-based Access Control

( ) of access control matrix

Store with ( ) in the form of a token, ticket, or key.

e.g., Kerberos, Android

ACL (Access Control List) ( ) of access control matrix

Store with ( )

e.g., Windows NT

Capabilities vs. ACL

Example

R1 R2 R3 R4

S1 rw rwx

S2 x rwx rwx

S3 rwx r r

Capabilities:

S1: {(R1, rw), (R2, rwx)}

S2: …

Access Control lists:

R1: {(S1, rw), (S3, rwx)}

R2: …

(Capabilities e.g.) Kerberos v5

Initial Logon

Ticket-Granting Ticket

Service Request

Client

TargetServer

Service Ticket ST

Client

(Capabilities e.g.) Android

Access Control Lists (ACLs) :

NTFS permissions

Share permissions

(ACLs e.g.) Windows Access Control

Object_A Object_B

USER_1 READ WRITE

USER_2 EXECUTE NONE

USER_N READ

The Revocation :

Delegation :

Controversies with Capabilities

Definition : The “principal” (authority) is ( ) from some global property of process.

“Authority that is exercised, but not selected, by its user” (Shapiro et al.)

Example : open(“file1”, “rw”)

Note : the subject is missing, but inferred from the process owner

Upside :

Downside :

Ambient Authority

First an organization must choose the access control model (DAC, MAC, RBAC).

Then the organization must select and implement different access control technologies.

Finally, Access Control Administration comes in two basic forms :

Access Control Administration

One entity is responsible for overseeing access to all corporate resources.

Provides a ( ) and ( ) method of controlling access rights.

Types of Centralized Access Control

Centralized Administration

Is a client/server authentication protocol and authenticates and authorizes remote users.

Most ISPs today use Radius to authenticate customers before they are allowed to access the Internet.

Radius is an open protocol and can be used in different types of implementations.

Uses UDP as a transport protocol

Only encrypts the user’s password as it is being transmitted from Radius client to the Radius server.

Is appropriate protocol when simplistic username/password authentication can take place and users only need an “accept” or “deny” for obtaining access.

[Note] Radius

Uses TCP as a transport protocol.

Encrypts all user data and does not have the vulnerabilities that are inherent in the radius protocol.

Presents true AAA (Authentication, authorization, and accounting) architecture.

[Note] TACAS

A protocol that has been developed to build upon the functionality of Radius and overcome many of its limitations.

AAA protocol.

Authentication : Provides PAP, CHAP, EAP, end to end protection of authentication information, replay attack protection.

Authorization : redirects, secure proxies, relays and brokers, state reconciliation, unsolicited disconnect, reauthorization on demand.

Auditing : reporting, ROAMOPS accounting, event monitoring.

Diameter provides the common AAA and security framework that different services can work within.

[Note] Diameter

Gives control of access to the people who are closer to the resources

Has no methods for consistent control, lacks proper consistency.

Decentralized Administration

Reference Monitor

Execution Monitors (EM)

Observe program execution.

Look at a program’s execution on a given input as a sequence of runtime events.

Terminating program’s execution if a violation of security is about to occur.

Introduction to IRM (Inlined Reference Monitors).

What is EM Good for?

Debugging, tracing, breakpoints, etc.

Auditing and Logging

Software testing : memory leaks, out-of-bounds array accesses, race conditions, atomicity, etc.

Security (aka. sandboxing, babysitting) like buffer overflow prevention etc.

Execution Monitors (EM) in Detail

EM : Focusing on one Execution Trace.

Easy to do (just observe and constrain).

EM can often approximate desired policy.

Schneider shows that reference monitors can (in theory) implement any ( ).

[Note] Safety and Liveness

[Lamport 77]

Safety Properties : Something ( ) will never happen.

The ‘safety’ property of access matrices in the HRU model meets indeed this description.

Liveness Properties : Something ( ) will happen. :

What EM Can & Can’t Do

EM ( ) do access control.

EM ( ) do information flow.

EM ( ) do Liveness/Availability(e.g. DoS).

Beyond EM

Security via Static Analysis, Dynamic Analysis, Type-Safe Languages, etc.

However, ( ) to reason about

Reference Monitor Anderson, J. 'Computer Security

Technology Planning Study', ESD-TR-73-51, US Air Force Electronic Systems Division (1973). Section 4.1.1

Execution monitor that forwards events to security-policy-specific validity checks.

Implementation requires ...

Reference Monitor

Validity Checks

Triggered by RM on each event.

Encodes the security policy.

Perform arbitrary computation to decide whether to allow event or halt.

(PS : RM+Validity checks sometimes called the ( ))

Practical Issues

In theory, a monitor could : examine the entire history and the entire machine

state to decide whether or not to allow a transition. perform an arbitrary computation to decide

whether or not to allow a transition.

In practice, most systems:

Otherwise, the overheads would be overwhelming. so policies are practically limited by the vocabulary

of labels, the complexity of the tests, and the state maintained by the monitor.

Commercial Security Kernels

SCOMP, GEMSOS, Trusted Solaris 8, Linux Security Modules (LSM) for Linux 2.6, TrustedBSD, MAC OS X, Xen hypervisor, etc.

L. J. Fraim. SCOMP: A solution to the multilevel security problem. IEEE Computer, 16(7):26-34, 1983.

R. Schell, T. Tao, and M. Heckman. Designing the GEMSOS security kernel for security and performance. In Proceedings of the National Computer Security Conference, 1985.

Sun Microsystems. Trusted Solaris 8 Operating System. http://www.sun.com/software/solaris/trustedsolaris/, February 2006.

C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux Security Modules: General security support for the Linux kernel. In Proceedings of the 11th USENIX Security Symposium, pages 17-31, August 2002.

Security Engineering Lecture Notes (4/7)

Engineering

Transcript of Security Engineering Lecture Notes (4/7)

LABORATORY MANUAL - Bharathidasan Engineering …library.bec.ac.in/kbc/NOTES BEC/MECH/4 SEM/ME6411-MT -II LAB... · bharathidasan engineering college nattrampalli – 635 854 department

Security Engineering Lecture Notes (2/6)

Security Engineering Lecture Notes (5/7)

Notes Power Generator for Electrical Installation Engineering Technology

Department of Mechanical Engineering - StudentsFocusstudentsfocus.com/notes/anna_university/Mech/5SEM... · Department of Mechanical Engineering ... To determine the heat transfer

Trusted Computing Major Rich Goyette Security Architecture and Engineering Army Tactical Command and Control Systems.

CCIE Notes From Experience - Lagout Security/NLI/2006... · IP Subnetting ... Table 8: IP Subnetting Summary ... Rob Webber s CCIE Notes from Experience Version 7.0 . horizon. for

COMP 6710 Course NotesSlide 1-0 Auburn University Computer Science and Software Engineering Course Notes Set 1: Introduction to Software Engineering Computer.

[PPT]04년 금강고려화학 보안점검 브리핑 - copy.or.krdbworld.tistory.com/attachment/gk37.ppt · Web view네트워크 일반 Security Traffic Engineering VPN’s 6. ...

KASPERSKY ENDPOINT SECURITY FOR BUSINESS libre-service •Activation BYOD •Délivrance de certificat •Protection antivol Gestion centralisée ... for Lotus Notes/Domino Security

Lecture notes TKS 1606 Ekonomi Teknikbeta.lecture.ub.ac.id/files/2012/09/referensi-lain-engineering-economics.pdf · Lecture notes TKS 1606 Ekonomi Teknik 1 Prof. Dr. Ir. Danang Parikesit,M.Sc.

Security Engineering Lecture Note (3/6)

Adapted from notes by ECE 5317-6351 Prof. Jeffery …courses.egr.uh.edu/ECE/ECE5317/Class Notes/Notes 4 5317...Prof. David R. Jackson Dept. of ECE Notes 4 ECE 5317-6351 Microwave Engineering

15-413 Lecture Notes on Software Configuration …...Guenter Teubner 15-413 Software Engineering Fall 1998 1 2 15-413 Lecture Notes on Software Configuration Management Original slides

Civil-III-Engineering Mathematics - III [10mat31]-Notes

Security Engineering Lecture Notes (5/6)

Industrial Engineering unit 4.Production planning and control Notes by badebhau.

07.02.2013 | Security Engineering Group | Prof. Dr. Katzenbeisser Verhaltens-basierte Computerwurm-Erkennung.

ôòóû )UUODomain 3: Security Architecture and Engineering Domain 4: Communication and Network Security Domain 5: Identity and Access Management (IAM) Ï $*441$#, Domain 6: Security

Open Security Architecture - L'ASIQISO/IEC 21827, Systems Security Engineering Capability Maturity Model (SSE-CMM) ITIL COBIT Pour permettre l'utilisation d'un modèle déjà existant,